Moving your Encrypted Home Meta Data out of /var/lib/ecryptfs

August 6, 2009

In the spirit of the FHS, Encrypted Home Directories in Ubuntu 9.04 stored certain configuration information about your Encrypted Home setup in /var/lib/ecryptfs.

However “correct” this location might be, it has caused considerable pain to a number of users, mostly because people don’t backup /var/lib, generally. That said, it is totally possible to re-generate all of the information in your /var/lib/ecryptfs directory if you recorded your all-important mount passphrase.

In any case, this is not the most user-friendly place to store this information.

Thus, in Karmic, we are using /home/.ecryptfs instead of /var/lib/ecryptfs. Each user encrypting their home directory will have a a directory in /home/.ecryptfs/$USER which will contain the “real” .ecryptfs and .Private directories.

This provides a couple of advantages.

First, your /home directory is completely self-contained. You can backup that entire hierarchy and save all of the data necessary (excepting your secret passphrase, of course). Actually, many users make /home a separate partition.

Secondly, having access to /home/.ecryptfs/$USER/.Private means that you can much more easily perform backups of your encrypted data. This feature has been requested many, many times.

You can actually take advantage of this same configuration in Ubuntu 9.04, if you follow the guide below. I recommend doing so😉

As always, you should log out of all desktop sessions, and perform these instructions from a tty terminal, or an ssh session.


#!/bin/sh -e

# Move out of your home directory
cd /

# If your encrypted home is not mounted, try to mount it
grep -qs " $HOME ecryptfs " /proc/mounts || ecryptfs-mount-private

# With root privilege, create a /home/.ecryptfs/$USER directory
sudo mkdir -p /home/.ecryptfs/$USER

# Make sure $USER owns that
sudo chown $USER:$USER /home/.ecryptfs/$USER

# Rename your /var/lib/ecryptfs/$USER dir to the new location
sudo mv -f /var/lib/ecryptfs/$USER /home/.ecryptfs/$USER/.ecryptfs

# Remove the two symlinks in your mounted home, to .ecryptfs and .Private
rm -f $HOME/.ecryptfs $HOME/.Private

# Establish links to these two dirs
ln -sf /home/.ecryptfs/$USER/.ecryptfs $HOME/.ecryptfs
ln -sf /home/.ecryptfs/$USER/.Private $HOME/.Private

# Unmount home
while ecryptfs-umount-private | grep "Sessions still open"; do
true
done

# Make your unmounted home writable (briefly)
sudo chmod 700 $HOME

# Move the *real* .Private directory to the new location
mv -f $HOME/.Private /home/.ecryptfs/$USER/

# Remove the .ecryptfs and .Private links
rm -f $HOME/.ecryptfs $HOME/.Private

# Re-establish the .ecryptfs and .Private links
ln -sf /home/.ecryptfs/$USER/.ecryptfs $HOME/.ecryptfs
ln -sf /home/.ecryptfs/$USER/.Private $HOME/.Private

# Mount your home directory again
ecryptfs-mount-private

:-Dustin

7 Responses to “Moving your Encrypted Home Meta Data out of /var/lib/ecryptfs”

  1. HeX Says:

    Great. This is a real improvement! Thanks for this.
    /imexil

  2. Kevin Says:

    Hi Dustin, thanks for this post.
    Could you please explain the above block of commands for Ubuntu 9.04 users a bit? More specifically, I do not have a ~/.Private as long as my encrypted home folder is mounted. So some of the commands will not do anything. Is this okay?
    Sorry for being chicken-hearted, but I do not want to brake my by now perfect setup.
    Thanks again, Kevin.

  3. Dustin Kirkland Says:

    @Kevin-

    Done. See inline comments.

    :-Dustin

  4. Kevin Says:

    Great, thanks! I nearly got it. Still, there is no $HOME/.Private in my encrypted home while mounted. Should it be there? (I installed my 9.04 with the "encrypt home folder flag" enabled in the installer as you show in an earlier post. Everything worked fine for months now…)
    Regards, Kevin.

  5. x Says:

    After running ecryptfs-setup-private I found I had to run "pam-auth-update –force" to get ecryptfs to automount (to get it into the /etc/pam.d/* config files).

    Running pam-auth-update by itself complained that there were local modifications to /etc/pam.d/common-* so I had to use –force … I can't quite remember but I may have been monkeying around with pam.d trying to get my finger print reader to work a long time ago…

  6. thetick2009 Says:

    Hi dustin, i have been playing around with my ubuntu setup and did some init.d scripting … and this is where my problem with ecryptfs popps up.

    I loaded /bin /sbin /etc /var /lib /lib32 into an
    ramdisk (tmpfs) then I squashed my /usr and loaded that into an ramdisk too and also used aufs to make it writeble. The init script kicks in right after “mounting local filesystems” (update-rc.d ramdisk.sh start 35 S .)This all works very nice … if i shutdown my pc everything is synched to disk….

    Then i started to do what i did to my /usr dir to my /home dir too … everything works but my /home directory is still encrypted and i can’t decrypt it anymore. Even if i do the steps in ecryptfs-mount-private manualy. There is no error message which could give me an hint. So maybe you can help me here a bit…

    Thanks in advance … chriss

  7. Dustin Kirkland Says:

    Chriss-

    I’m sorry, but blog comments are not the most efficient mechanism for troubleshooting this sort of problem. For better support, please ask a question or file a bug in Launchpad, or as for some help in the Ubuntu Forums.

    :-dustin


Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: